Structure of Dr.Web for UNIX Mail Servers

Dr.Web for UNIX Mail Servers is a software suite consisting of a set of components, where each component has its own set of functions. The components are separated into the following categories according to their objectives:

basic anti-virus components which form the Dr.Web for UNIX Mail Servers core. In the absence of the components under this category, the product cannot scan files (and other data) for viruses and other threats;

threat search components. These components are used to solve Dr.Web for UNIX Mail Servers basic tasks—detecting threats and potentially dangerous objects. In their operation the components falling under this category use basic anti-virus components;

service components, which solve the auxiliary anti-virus protection issues (anti-virus databases updates, centralized protection servers connection, common Dr.Web for UNIX Mail Servers operation managing, and so on);

interface components, which provide (the user or third party applications) with the interface for controlling Dr.Web for UNIX Mail Servers.

Below is the list of Dr.Web for UNIX Mail Servers components.

1. Basic Anti-virus Components

Component

Description

Dr.Web Virus-Finding Engine

An anti-virus engine. Implements algorithms to detect viruses and malicious programs (by using a signature and heuristic analysis).

Controlled by the Dr.Web Scanning Engine component


Library file: drweb32.dll.

Logged internal name: CoreEngine

Scanning engine. This component loads Dr.Web Virus-Finding Engine and virus databases.

Sends the contents of files and boot records to the anti-virus engine for scanning.

Manages a queue of the files to be scanned.

Cures threats to which this action is applicable.

Operates under the control of Dr.Web ConfigD or autonomously.

Used by the Dr.Web File Checker and Dr.Web Network Checker components. Also can be used by the Dr.Web MeshD component (in particular modes) and by external (in relation to Dr.Web for UNIX Mail Servers) applications using directly the Dr.Web Scanning Engine API


Executable file: drweb-se.

Logged internal name: ScanEngine

Virus databases

An automatically updated database of signatures of viruses and other threats, as well as of malicious software detection and neutralization algorithms.

Used by Dr.Web Virus-Finding Engine and is bundled with it

Databases of web resource categories

An automatically updated database containing a list of categorized web resources and being used to identify unwanted websites.

Used by components that scan network activity of users and applications, such as SpIDer Gate, Dr.Web MailD

A component for scanning file system objects and a quarantine manager.

Receives tasks from the threat scanning component on scanning files in the local (relative to Dr.Web Scanning Engine) file system.

Surfs the file system directories according to the task, sends files for scanning to Dr.Web Scanning Engine and notifies the client components about the scanning progress.

Deletes infected files, puts them in and restores them from quarantine, manages quarantine directories.

Builds the cache and keeps it up-to-date. The cache contains information about previously scanned files to reduce the frequency of rescanning files.

Used by components that scan file system objects


Executable file: drweb-filecheck.

Logged internal name: FileCheck

A network data scanning agent.

Used to send data to the scanning engine for actual scanning. The data is sent by components of the product via the network (such components as Dr.Web ClamD, SpIDer Gate, Dr.Web MailD).

Allows Dr.Web for UNIX Mail Servers to manage distributed file scanning: to receive/transmit files for scanning from/to remote hosts. For that purpose, remote hosts must feature an installed and running Dr.Web for UNIX operating systems. In the distributed scanning mode, it allows automatic distribution of scanning load among available hosts by reducing load on hosts with a large number of scanning tasks (for example, on mail servers and internet gateways).

If the network contains partner hosts that can receive data for scanning, the components that use Dr.Web Network Checker for scanning may operate without local Dr.Web Scanning Engine. Thus, local Dr.Web Scanning Engine, Dr.Web Virus-Finding Engine and virus databases may be absent.

For security reasons, files are transmitted over the network using SSL


Executable file: drweb-netcheck.

Logged internal name: NetCheck

A component for analyzing whether a URL falls under potentially dangerous or unwanted categories


Executable file: drweb-urlcheck.

Logged internal name: UrlCheck

A component that connects Dr.Web for UNIX Mail Servers to a local cloud, which allows Dr.Web for UNIX products to exchange updates, results of file scanning, transmit files to each other for scanning, as well as to provide scanning engine services directly.

If this component is included in the product and the local cloud to which it is connected contains hosts providing scanning engine services, local Dr.Web Scanning Engine, Dr.Web Virus-Finding Engine and virus databases may be absent


Executable file: drweb-meshd.

Logged internal name: MeshD

2. Threat Search Components

Component

Description

A component for monitoring network traffic and URLs.

It is designed to scan data downloaded from the network to the local host and passed from it to the external network for threats. The component also prevents connections with the network hosts added to the unwanted categories of web resources or black lists created by the system administrator.

Used by the Dr.Web MailD component in the mode of the transparent proxy of email protocols (SMTP, POP3, and IMAP).

Uses the Dr.Web Network Checker component to scan received data.

The component is supplied only with the distributions designed for GNU/Linux OSes.


Executable file: drweb-gated.

Logged internal name: GateD

A network connection monitor.

Used by SpIDer Gate and provides connection routing for applications that operate on a host to scan traffic of these connections.

The component is supplied only with the distributions designed for GNU/Linux OSes.


Executable file: drweb-firewall.

Logged internal name: LinuxFirewall

A component for scanning email messages.

Analyzes email messages and prepares them for scanning for threats. It can operate in two modes.

1)A filter for mail servers (Sendmail, Postfix, and so on) connected via the Milter interface, Spamd or Rspamd interfaces.

2)A transparent proxy of email protocols (SMTP, POP3, and IMAP). SpIDer Gate is used in this mode.

Uses the Dr.Web Network Checker component to scan data extracted from email messages


Executable file: drweb-maild.

Logged internal name: MailD

A component scanning email messages for signs of spam.

Used by the Dr.Web MailD component. Can be unavailable depending on distribution. If it is unavailable, scanning email messages for sings of spam is not performed by the Dr.Web MailD component.

The component is not supported for ARM64, E2K and IBM POWER (ppc64el) architectures.


Executable file: drweb-ase.

Logged internal name: Antispam

3. Service Components

Component

Description

The Dr.Web Cloud interaction component.

Sends URLs visited by the user and information about the scanned files to Dr.Web Cloud to scan them for threats not yet covered by virus databases


Executable file: drweb-cloudd.

Logged internal name: CloudD

Dr.Web for UNIX Mail Servers configuration daemon.

Starts and stops other product components depending on the settings.

Restarts components if a failure in their operation occurs. Starts components at the request of other components. Informs active components when another component starts or shuts down.

Stores information about current license keys and settings and provides this information to all components. Receives adjusted settings and license keys from the designated components of Dr.Web for UNIX Mail Servers. Notifies other components of changes in license keys and settings


Executable file: drweb-configd.

Logged internal name: ConfigD

The centralized protection agent. Ensures product operation in the centralized protection and mobile modes.

Provides connection between the product and the centralized protection server, receives a license key file, updates of the virus databases and anti-virus engine.

Sends the information about the Dr.Web for UNIX Mail Servers components, their status and statistics on virus events to the server


Executable file: drweb-esagent.

Logged internal name: ESAgent

A component for retrieving data from external data sources.

Retrieves data from external data sources (directory services, files, relative databases, and so on) to be used in rules of traffic monitoring


Executable file: drweb-lookupd.

Logged internal name: LookupD

An email message scanning component which manages queues of messages to be scanned.

Used by the Dr.Web MailD component. Can be unavailable depending on distribution. If it is unavailable, the SMTP and BCC modes of Dr.Web MailD are not supported.


Executable file: drweb-mail-quarantine.

Logged internal name: MailQuarantine

A component for storing Dr.Web for UNIX Mail Servers component operation events.

Receives and stores events of the product components (such as abnormal termination, threat detection, and so on)


Executable file: drweb-statd.

Logged internal name: StatD

An updating component.

Downloads updates of virus databases and databases of web resource categories, the anti-virus engine and the library for scanning email messages for signs of spam from Doctor Web servers.

The updates can be downloaded automatically, on schedule, and on user demand (via the Dr.Web Ctl utility or management web interface)


Executable file: drweb-update.

Logged internal name: Update

4. Interface Components

Component

Description

Dr.Web for UNIX Mail Servers component management web server.

Provides a custom HTTP API for managing Dr.Web for UNIX Mail Servers components.

This API is used by the management web interface.

For security reasons, the component uses HTTPS to connect to the management web interface.

Uses Dr.Web Network Checker to send data for scanning to Dr.Web Scanning Engine


Executable file: drweb-httpd.

Logged internal name: HTTPD

Management Web Interface.

Can be accessed using any browser on a local or remote host. The management web interface enables the product not to use third-party web servers, such as Apache HTTP Server, or remote administration tools, such as Webmin.

The functionality is ensured by the Dr.Web HTTPD web server

A tool for managing Dr.Web for UNIX Mail Servers from the command line of an operating system.

Allows the user to start file scanning, view and manage quarantined objects, start a virus database update procedure, connect Dr.Web for UNIX Mail Servers to or disconnect it from a centralized protection server, view and change product parameters


Executable file: drweb-ctl.

Logged internal name: Ctl

An SNMP agent.

Designed for integration of Dr.Web for UNIX Mail Servers into external monitoring systems over SNMP. Such integration allows you to monitor the state of the product components and to collect statistics on threat detection and neutralization.

Supports SNMP v2c and v3 protocols


Executable file: drweb-snmpd.

Logged internal name: SNMPD

A component emulating the interface of the clamd anti-virus daemon (the component of the ClamAV® anti-virus).

Allows all applications supporting ClamAV® to use Dr.Web for UNIX Mail Servers transparently for anti-virus scanning.

Depending on the mode, uses Dr.Web File Checker or Dr.Web Network Checker to pass data for scanning to Dr.Web Scanning Engine


Executable file: drweb-clamd.

Logged internal name: ClamD

The figure below shows the structure of Dr.Web for UNIX Mail Servers and its interaction with external applications.

Figure 1. The structure of Dr.Web for UNIX Mail Servers

In this scheme, the following notations are used:

 

—Dr.Web for UNIX Mail Servers as a whole and external Dr.Web applications not distributed with it

 

—programs external to Dr.Web for UNIX Mail Servers and products that integrate with it

 

—the service components that perform particular anti-virus protection tasks (anti-virus databases updates, connection to centralized protection servers, overall coordination of operation, and so on)

 

—interface components that provide (the user or third party applications) with the Dr.Web for UNIX Mail Servers management interface

 

—components used for anti-virus scanning

 

—basic anti-virus components that form the Dr.Web for UNIX Mail Servers core. Used by the components that perform data and file scans

Components marked with a dotted line can be absent depending on the Dr.Web for UNIX Mail Servers distribution or usage.

For details on Dr.Web for UNIX Mail Servers components, refer to Dr.Web for UNIX Mail Servers Components.